In the past decade, data and IT security has risen to the top of most corporate risk registers. Almost every sector of the global economy is vulnerable to increasingly sophisticated cyber attacks and substantial regulatory fines, and class actions are now a distinct possibility following significant data breaches.

There is much that can be done, up-front, to mitigate this risk, as many corporations do by investing in IT security and employee education, and by procuring insurance and breach response services (both forensic and legal). Those same response services can be deployed to manage the consequences of an adverse incident in the immediate aftermath of a breach.

For a company that has been the victim of cyber fraud, the immediate response may entail tracing and seeking to recover its stolen assets by way of freezing bank payments. Or, for a company that has suffered a compromise of personal data following a breach, it may mean engaging with the Information Commissioner’s Office (or its equivalent in the relevant jurisdiction) and with affected data subjects in order to satisfy its legal obligations and minimise any resulting penalties or liabilities, while also dealing with the threat of a group litigation order in respect of claims being brought by affected individuals.

The recent announcement of a new court in London specialising in cyber crime is evidence of the ever-increasing trend of cyber fraud. At the same time, the English civil courts are witnessing a new wave of cyber litigation brought by data subjects whose personal information has been compromised, often en masse. As three recent, high-profile cases from 2018 show, the courts are developing a legal framework for the resolution of such claims.

Apr-Jun 2019 issue

Norton Rose Fulbright LLP